CVE-2024-53580: 
Rocky Linux vulnerability analysis and mitigation

A vulnerability has been identified in iperf v3.17.1 that leads to a Denial of Service (DoS) condition. The vulnerability (CVE-2024-53580) involves a segmentation violation in the iperfexchangeparameters() function when processing malformed JSON data. This security flaw affects both Linux and Windows versions of the software (GitHub Release, GitHub POC).

The vulnerability stems from improper handling of JSON data in the iperfexchangeparameters() function. When a field expected to be a string is provided as an integer, it leads to incorrect parameter processing, causing a NULL value to be passed to the strdup() function, resulting in a segmentation fault. The issue has been assigned a CVSS 3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and is classified as a NULL Pointer Dereference (CWE-476) (NVD).

When exploited, this vulnerability can cause the iperf server to crash, resulting in a Denial of Service (DoS) condition. The attack can be triggered by sending malformed JSON data to the iperf server, making the service unavailable to legitimate users (GitHub POC).

The vulnerability has been fixed in iperf version 3.18. The fix includes proper validation of JSON inputs and improved error handling to prevent strdup() from receiving NULL pointers. Users are advised to upgrade to version 3.18 or later to mitigate this security issue (GitHub Release).